Summary
The JWT-SVID specification requires that keys in the JWKS endpoint include `"use": "jwt-svid"` to clearly signal that these keys are intended for JWT-SVID verification. The current implementation sets `"use": "sig"` (the generic JWS value), which prevents conformant verifiers from distinguishing JWT-SVID keys from general signing keys.
Location
JWKS key construction in the token issuance / key management layer (wherever the JWK is built and served at `/.well-known/jwks.json`).
Impact
Conformant JWT-SVID verifiers MUST reject keys that do not carry `"use": "jwt-svid"`. This breaks interoperability with any standard SPIFFE workload API client.
Fix
Change the `use` field in the published JWK from `"sig"` to `"jwt-svid"`.
Reference
Summary
The JWT-SVID specification requires that keys in the JWKS endpoint include `"use": "jwt-svid"` to clearly signal that these keys are intended for JWT-SVID verification. The current implementation sets `"use": "sig"` (the generic JWS value), which prevents conformant verifiers from distinguishing JWT-SVID keys from general signing keys.
Location
JWKS key construction in the token issuance / key management layer (wherever the JWK is built and served at `/.well-known/jwks.json`).
Impact
Conformant JWT-SVID verifiers MUST reject keys that do not carry `"use": "jwt-svid"`. This breaks interoperability with any standard SPIFFE workload API client.
Fix
Change the `use` field in the published JWK from `"sig"` to `"jwt-svid"`.
Reference